CONTACTS: +254 726879488 (Mobile)
+254770 455 116 (Office)
By Steve Umidha
The danger of cybercrime and security breaches looms over the healthcare industry like a slow-moving storm, according to new predictions which forecast that such breaches have the potential risks and irreversible impact on the financial health of medical provider organizations.
According to a 2023 July report from IBM and the Ponemon Institute, cybersecurity breaches ran healthcare organizations an average of $10.1 million per incident during 2022, a 9.4% increase over 2021 and well above what other sectors of the economy are forced to spend – that is in the US alone – as reported by fiercehealth outlet.
Attacks against healthcare providers’ third-party business associates and the broader supply chain have also spiked during the last few months with most experts revealing that cyberattackers are more often leveraging software vulnerabilities as their point of entry.
“There’s a notable rise in attacks on smaller, regional healthcare providers, which may need robust cybersecurity measures,” said Ani Chaudhuri, co-founder and CEO of data security firm Dasera.
“These entities often hold highly sensitive data, making them attractive targets for hackers.”
Down-market providers such as specialty clinics or medical imaging facilities are also a rising target for attackers.
And because the legacy approach to cybersecurity prioritized monitoring and controlling network traffic, it’s now “very common” for in-use medical devices to still be running with their default passwords.
What is cyber-attack?
A cyber-attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage.
Such attacks aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems.
Back home – Kenya
Kenya recorded a staggering 860 million cyber-attacks between January and October last year, the highest yet, according to data provided by the Communications Authority (CA).
An estimated 188 million accounts were breached by fraudsters in three months alone to March in 2023, with weak systems accounting for a chunk of overall cyber-attacks among Kenyan firms.
Read: Ca-report-shows-increasing-sophistication-in-cyber-threats/
It said that Kenya witnessed an upsurge in “the frequency, sophistication and scale” of cyber-threats targeted at the country’s critical information infrastructure (CIIs) in 2023.
“In the last 12 months alone, the attacks have skyrocketed to a new high of 860 million cyber-attacks.
Of these attacks, 79% were a result of cyber criminals exploiting flaws and vulnerabilities in organizations’ internal controls, system procedures and information systems, which they used to gain unauthorized access to the computer systems,” the authority says in a new statement.
This is in comparison to six years ago when CA says cyber-attacks in the country stood at 7.7 million annually.
“Malicious software accounted for 14% of the attacks, while Distributed Denial of Services (DDoS) accounted for 6.5%, followed by attacks targeted at web applications,” the communications regulator adds.
In addition to attacks becoming more sophisticated, CA noted that threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices.
Malware attacks also remain one of the most preferred routes by attackers according to CA figures with over 26million such attacks were detected during the quarter under review.
Malware, short for malicious software, refers to any intrusive software developed by cyber-criminals (often called hackers) to steal data and damage or destroy computers and computer systems, including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
The latest findings by the authority come on the heels of a spike in hacking activities targeting corporations since the onset of Covid-19 pandemic as digital thieves took advantage of weakened security with more people working from home.
Companies started reporting increased instances of pony-trekking, mainly through password compromises, due to the unprecedented changes in the way firms and their staff are currently forced to do business.
Password compromises and insider threats are considered the biggest cyber threats, with just over half of the businesses in Kenya today operating under co.ke domains having experienced cybersecurity breaches during the period under review.
These figures come amid calls seeking closer study on the exact cost of data breaches on local businesses and their damaging impact.
Indeed, the Communications Authority in 2022 said it was considering a comprehensive scrutiny of the actual cost of cyber-crime on Kenyan firms amid concerns that a number of organizations are reporting multiple data breaches.
The then Director General Ezra Chiloba said the authority would start a study in partnership with key stakeholders to determine how much local firms actually lose when cyber criminals penetrate their systems.
“The amount quoted last year for cyber-crime cost, shows how much is lost on the global arena, locally we do not have an exact projection, and this calls for a study which we can only undertake in collaboration with our partners,” he said on the sidelines of a cyber security conference in October 2022.
Kenyan savings and credit co-operative societies (Saccos) for instance lost Sh106 million in the 17 months to March 2021 due to cyber theft.
According to IBM, the average cost of a data breach in the financial industry is $5.85 million.
As digital transformation engulfs the financial sector, mobile banking and payment apps have become one of the top targets by cyber criminals.
Cybersecurity Ventures – a tracker and researcher for the global cyber economy estimated in 2022 that global cyber-crime costs could grow by 15 per cent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015, cautioning that attacks are likely to increase in frequency.
A 2021 digital fraud report by Credit Reporting agency, Trans Union also indicates that Kenyan banks are estimated to lose over $121 million every year to fraudsters through identity theft.
Kenya’s healthcare sector – in numbers
In Kenya, the government provides public health insurance through a state corporation known as the National Health Insurance Fund (NHIF).
The organization manages payroll contributions from the formal sector i.e., salaried individuals and voluntary contributions from the informal sector.
These form a funding pool that collects revenue on a monthly basis. The members can then access healthcare from both government and private hospitals. [15]
Health systems in low- and middle-income countries (LMICs) are still heavily dependent on people making out-of-pocket (OOP) payments to cover the costs of healthcare at the time when they are using the services.
Despite the abolition of user fees at community level dispensaries and public health centers, OOP payments continue to be a problem in the Kenyan health system. OOP payments deter some Kenyans from seeking care and cause others to become impoverished as a result of paying high hospital bills
Kenya adopted Universal Health Coverage (UHC) as one of the big four priority agenda by its immediate former President, Uhuru Kenyatta. His aspiration is that by 2022, all persons in Kenya will have the means to use the essential services they need for their health and well-being.
This will be achieved through a single, unified benefit package without the risk of financial catastrophe.
There was a total of 9,696 health facilities in the country as at 2021, according to Africa Health Business – a health consultant in Kenya.
About 4,616 of these are owned by the public sector, 3,696, fall under ownership of the commercial private sector, and 1,384 is owned by Faith Based Organizations (FBOs), Non-Governmental Organizations (NGOs) and Community Based Organizations (CBOs).
The distribution of health facilities shows that the Ministry of Health accounts for 42.9 percent of the total health facilities in the country while private sector accounts for 37.8 percent.
In Kenya, approximately 25% of Kenyans have health insurance; they may be covered by public, private or community-based health insurance schemes which means that the majority (75%) end up paying out-of-pocket, according to the report copyrighted in 2021.
What is the new medical scheme in Kenya 2023?
Evidence suggests that health system performance in Kenya remains poor. The main issue is poor leadership resulting in poor health system performance. Good leadership is an enabler of good governance, management, service delivery, and overall improvement of population health.
As a result, a new idea was formulated soon after President William Ruto assumed power in August 2022 with four new bills introducing new funding mechanisms with the aim of strengthening universal health coverage in Kenya.
The Social Health Insurance Act, 2023 (SHI Act) introduces a comprehensive scheme for social health insurance, aiming to provide financial protection and equal access to healthcare services. The SHI Act establishes the Social Health Authority (SHA) to, in part: Register the beneficiaries.
The Social Health Insurance Act repeals the National Health Insurance fund, establishing a social health authority that introduces three new funds that will secure publicly funded primary health care, universal health insurance, and equitable access to quality health services.
On 17 October, Kenya’s President, William Ruto signed the four healthcare bills, Social Health Insurance Bill, Primary Health Care Bill, Facility Improvement Financing Bill, and Digital Health Bill into law after they were passed by the Parliament recently.
The Social Health Insurance Act 2023 as the laws are collectively called, sets forth a comprehensive strategy to revamp Kenya’s healthcare financing system. This legislation aims to address the longstanding issues that have plagued the National Health Insurance Fund (NHIF) while simultaneously expanding the scope of health insurance coverage.
The Act establishes the Social Health Authority, replacing NHIF.
Under the umbrella of three new funds, including the Primary Healthcare Fund and Social Health Insurance Fund, the Kenya Kwanza administration pledges to deliver comprehensive healthcare coverage for the entire Kenyan population.
Legal setbacks
The government suffered a major setback last November after a judge suspended further implementation of the Social Health Insurance Act, 2023 as introduced by the Ministry of Health until February 2024.
In a brief ruling, Justice Chacha Mwita of the Milimani High Court temporarily stopped the State from enforcing three new funds gazetted by Health Cabinet Secretary Susan Nakhumicha pending determination of a case lodged in court by activist Joseph Enock.
“A conservatory order is hereby issued restraining the respondents (President William Ruto, CSs in the Ministry of Health and Information, the Attorney General, Commission for Revenue collection, The National Assembly and the Senate), their agents and or anyone acting on their directives from implementing and or enforcing the social Health Insurance Act, 2023; The Primary Health Care Act, 2023 and The Digital Health Act, 2023 until February 7, 2024,” the judge ordered.
He granted the President, Nakhumicha, the AG, the National Assembly, the Senate, Council of Governors, Social Health Authority and among other respondents sued in the case seven days to file their responses.
The Act, which repeals the National Health Insurance Fund (NHIF) and establishes three new funds, came into effect on Wednesday, November 22.
Additional sources: Citizen Digital, PD, AHB